CVE-2025-27380
Published: 22 January 2026
Summary
CVE-2025-27380 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Altium On-Prem Enterprise Server. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 5.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-27380 is an HTML injection vulnerability (CWE-79) in the Project Release component of Altium Enterprise Server (AES) version 7.0.3, affecting all supported platforms. Published on 2026-01-22, it has a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N). The flaw enables an authenticated attacker to inject crafted HTML content, leading to the execution of arbitrary JavaScript in the victim's browser.
An authenticated user with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L), though it requires user interaction (UI:R) from the victim. Successful exploitation changes the scope (S:C), resulting in high confidentiality impact (C:H) through cross-site scripting, allowing the attacker to steal sensitive data visible in the victim's browser session, such as session tokens or user information, while having limited integrity (I:L) and no availability (A:N) impact.
For mitigation details, refer to the Altium security advisory at https://www.altium.com/platform/security-compliance/security-advisories.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4174
Vulnerability details
HTML injection in Project Release in Altium Enterprise Server (AES) 7.0.3 on all platforms allows an authenticated attacker to execute arbitrary JavaScript in the victim’s browser via crafted HTML content.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XSS via HTML injection directly enables browser session hijacking to steal tokens/session data.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the specific HTML injection flaw in Altium Enterprise Server 7.0.3 by identifying, reporting, and applying patches or updates.
Filters output HTML content prior to rendering in the victim's browser, preventing execution of arbitrary JavaScript from injected crafted content.
Validates incoming HTML content in the Project Release component against expected formats, blocking malicious inputs that could lead to JavaScript execution.